States giving privacy officers a seat at the table

By Stephanie Kanowitz

Apr 22, 2019

The chief privacy officer role in state governments is relatively new, but increasingly important. States manage a great deal of personal information -- birth, death and marriage certificates; driver’s licenses; criminal and victim records; and financial information, to name just a few -- and must adhere to privacy regulations, which differ based on data type. States are recognizing the value of CPOs, according to a new report by the National Association of State Chief Information Officers.

The number of state CPOs has risen from one in 2003 to about 12 now, according to the report, titled “Perspectives on Privacy.” Eighty-three percent of CPOs have been in the position for less than four years.

The structure of the role varies from state to state. Forty-two percent of CPOs report to the state’s CIO, 33% report to the chief information security officer, 8% to the chief data officer and 17 percent to others, the NASCIO report stated.

All but two CPOs said they have authority over the executive branch, while two said they have authority over only their own agencies. Most also said they consult with and advise the judicial and legislative branches.

The 12 CPOs described typical workday activities, which depend on the maturity of the state’s privacy program and how much authority the office has. Several CPOs recommended learning about agencies’ business, so they can better meet their privacy needs, and many said they conduct or administer privacy training for agency employees. Some work with a point person at other agencies to delegate privacy-related tasks.

“Of course, despite their eﬀorts at training and striving to bring agencies into a proactive mindset around privacy, any CPO will spend time responding and reacting to privacy incidents and answering the privacy, legal and compliance questions that arise from agencies,” the report stated.

Unsurprisingly, privacy culture also is related to how mature a program is. Those with more-developed programs view privacy proactively, while newer ones take a more reactive stance.

When NASCIO asked survey respondents what state leaders considering adding a CPO should think about, three main themes emerged: CPOs need an enterprise view, a budget and enforcement authority and a point of contact at every agency.

CPOs have a variety of titles -- chief compliance officer, privacy program manager, compliance and privacy officer, for example -- but regardless of the specifics, the report stated, “it’s safe to say that most states have someone working on privacy issues even if it’s not their full-time job or not at the enterprise level.”